cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
479
Views
0
Helpful
2
Replies

InterAS option B security problem

Vladleonov
Level 1
Level 1

Our customer is looking to protect their mpls infrastructure from spoofed labels when using inter-as vpn option b peering with over providers.

I refer to the situation when our peer send us packets with labels that do present in our forwarding table but have not been announced to this peer.

Could you reconmend any solution or workarround to solve this problem?

2 Replies 2

libanm
Level 1
Level 1

Models B and C allow for more interaction between AS, but it increase the risk of intrusions and DoS attacks from the other autonomous systems. MOdel A is the most Secure method.

Option B and C, each AS can send traffic into any VPN of another AS, whether this VPN is shared or not, although it cannot always receive return traffic. This can be used for DoS attacks or simple intrusions

So there is must be TRUST between the two Provider and implement some sort of security between the two ASBR

If there is inherent trust between the 2 service providers about ethical business practises. ( as security can be breached no matter what if either of the SP is not trustworthy).

Having said that if you enable Md5 authentication on your MP-EBGP, it shoudl be working fine and its comparable to the security level you get in option A.

Also if you receive an incoming label at your ASBR which is not known, the ASBR would drop it there rather than forwarding it till the PE to reach the CE.

So there shouldnt be much to worry about with option B.

Can you specifically mention what exact concern the customer has.

HTH-Cheers,

Swaroop

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: